[Dnsmasq-discuss] dnsmasq treats Islands of Security as bogus

Patryk Szczygłowski patryk at patryk.net
Mon Mar 27 16:37:09 BST 2017


I have domain signed with DNSSEC: patryk.one.pl
The issue is, the parent one.pl is completely void of DNSSEC support (and
it will probably never get fixed).

- . is signed
- .pl is signed, no DS for .one.pl
- .one.pl is NOT signed, no DNSKEY, no DS for .patryk.one.pl
- .patryk.one.pl is signed

My domain is registered with dlv.isc.org, but this not important anymore,
as they announced closing down.

Have a look here:

The issue is dnsmasq is returning BOGUS instead of INSECURE. In consequence
the domain does not resolve.
I believe it is in contradiction with RFC:

It should mark BOGUS only if top-bottom validation determies DS in parent
but missing DNSKEY in child.

Current behaviour is promoting a race condition, when the domain owner
enabled DNSSEC, but didn't upload DS to parent and/or it didn't propagate.

The same situation was few years ago, when TLDs were gradually enabled,
when for a while they were signed with DNSKEY without DS being set on
parent, only to be put several months later. There are still unsigned TLDs
and I think they will stop being resolved completely when this happens

Google Public DNS behaviour is correct.

Patryk Szczygłowski
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20170327/3e950720/attachment.html>

More information about the Dnsmasq-discuss mailing list